Security Requirements
All teams shall apply the principles and requirements of ISO 19650-5 for security-minded Building Information Modelling, digital built environments and smart asset management.
Conditions for Computing Facilities & Data Handling
All parties providing services may use their own computing facilities to deliver services with the following conditions:
- Computing facilities must be separate from personal computing facilities used by themselves or their families (e.g., for leisure) and must employ best-practice security controls with up-to-date antivirus control, personal firewall, access control, disk encryption, and software patches.
- Use of these facilities should be limited to activities involving client data (e.g., producing reports, reviewing documents, emailing) and should not involve storing/processing large volumes of client data (e.g., database extracts).
- Where the computer connects to a remote network, an encrypted link must be used.
- Data will be stored in a cloud server and backed up continuously.
- Data will not be transferred via non-secure FTP.
- Computer hard disk drives should be securely erased before disposal or recycling.
- If the data warrants a Government protective marking, the disk encryption employed must conform to CAPS.
- No emails containing protectively marked or personal data, or any other type of sensitive information, should be sent un-encrypted over the internet.
- Any removable media used to transport data outside of secure buildings must be encrypted with a product certified to FIPS 140-2. Once no longer required, these devices should be securely disposed of.
- In compliance with the Data Protection Act, any personal data must be deleted when no longer required and must not be used for any other purposes other than that for which it was collected. It must not be retained beyond the duration of engagement.
- Where there is a need to provide access to large volumes of personal or protectively marked data, only client computing facilities must be used. Removable media provided by the client must be returned after use.
- Paper records containing sensitive or personal data should be stored, transported, and disposed of securely.
- Sensitive waste paper should be collected separately from normal waste and stored securely pending destruction by shredding or burning.